Our language for describing and discussing cybersecurity risks is failing. It’s failing to elevate our conversations with boards and company executives. It’s failing to provide a full picture of an organization’s security risks. It’s failing to garner investment in critical processes, technologies and people to defend organizations from cyber threats.
To solve a problem, we need to know where we’ve been and where we’re going. We’ve used the same language to describe risk for many years: risk = likelihood x impact.
But it’s not as easy as a mathematical formula with easy calculations. Instead of simplifying the situation, we’ve added cybersecurity terms like threat, vulnerability, threat actor, exploit and probability to make this harder. We further complicate the problem by using terms such as threat, threat actor and vulnerability interchangeably.
These terms are defined by NIST and other standards and accrediting bodies, but in practice, we often conflate them, confusing ourselves and the audience we’re seeking to enlighten.
Systems are more complex than ever. The number and complexity of attacks have increased, and new languages, tools and computing capabilities have…
